I just recently received a question from one of my users not being able to activate has account, and I have been able to reproduce it on a new test install on version Discourse 1.4.0.beta9 - https://github.com/discourse/discourse version 4c2df814de4671880d532ae6514c470d831b7009:
Set email token valid hours to something short, like 1.
Register a new account.
Ignore the activation mail for 1 hour.
Try using the link, get Sorry, this account confirmation link is no longer valid. Perhaps your account is already active?.
Try to log in, get You can't log in yet. We previously sent an activation email to you at test2@fefrei.de. Please follow the instructions in that email to activate your account. Click here to send the activation email again.
Click to resend the activation mail.
Open the new activation mail, and click the (different) link, click Activate, get another Sorry, this account confirmation link is no longer valid. Perhaps your account is already active?.
Click the Discourse logo to navigate to the main page. Surprise: You’re logged in!
So it seems that step 7 is actually working (as it should), but the user is still shown the error message.
I have a user report for my site, which was set to 6 hours. I set it to 1 in my test install because my patience is limited to 61 minutes and I didn’t want to fiddle with the clock
Re-try to login. Once again, Discourse tells me it sent out an activation mail. I did not get the screen telling me that I can re-send the mail – it looked just as in step 1! Discourse sends out a new activation mail:
Try to activate the account, which once again fails.
This failure is no surprise: Discourse sent out the old, expired token again! Look at my screenshots above, which include the date and time (both were captured just now, so no date means 21.08.2015).
While I’m not entirely sure why the behavior differs, the core difference seems to be SSO (my test install did not use SSO!). Both versions seem like a bug to me, with this one being more severe.
The second SSO login issue you reported is unrelated to the original issue, and I can repro it on my dev instance. I have a fix for it, but need to test it thoroughly.